Solved: Re: Is there a way to send a credential from credential vault to extension configuration

Benji_Dynatrace · ‎08 Apr 2024

Hi,

Title is pretty self-explanatory. I am looking for a way to use the credential vault to fill in a configuration entry so that we can prevent a password leak or something like that. Right now the text entries don't seem to provide a way to reference an item in the credential vault, unless I am wrong. If there isn't a way to do this, is this something you would consider adding in the future?

Thanks,

Benji_Dynatrace

AntonioSousa · ‎08 Apr 2024

@Benji_Dynatrace,

Have not used this yet, but seems to be available, according to the following two threads:
https://community.dynatrace.com/t5/Product-ideas/RFE-Extend-the-use-of-Credential-Vault-to-Dynatrace...

https://community.dynatrace.com/t5/Extensions/Vaults-eg-Hashicorp-CyberArk-in-Dynatrace-extensions/m...

Antonio Sousa

Mike_L · ‎09 Apr 2024

It's up to each extension to implement such a feature. If you're missing it for a specific one which is available on the Dynatrace hub, please raise a product idea on the community forum.

When creating an extension in extension framework 2.0 it's possible to add credential vault support to the activation schema using this format:

"useCredentialVault": {
	"displayName": "Use credential vault",
	"type": "boolean",
	"nullable": false,
	"default": true,
	"maxObjects": 1
},
"credentialVaultId": {
	"displayName": "Select Vault credentials",
	"nullable": true,
	"type": "text",
	"subType": "credential",
	"referencedType": "USERNAME_PASSWORD",
	"maxObjects": 1,
	"precondition": {
		"type": "EQUALS",
		"property": "useCredentialVault",
		"expectedValue": true
	},
	"constraints": [
		{
			"type": "NOT_BLANK"
		}
	]
},
"username": {
	"displayName": "User Name",
	"type": "text",
	"nullable": false,
	"default": "",
	"precondition": {
		"type": "EQUALS",
		"property": "useCredentialVault",
		"expectedValue": false
	},
	"constraints": [
		{
			"type": "LENGTH",
			"minLength": 1,
			"maxLength": 500
		}
	],
	"maxItems": 1
},
"password": {
	"displayName": "Password",
	"type": "secret",
	"nullable": false,
	"default": "",
	"precondition": {
		"type": "EQUALS",
		"property": "useCredentialVault",
		"expectedValue": false
	},
	"constraints": [
		{
			"type": "LENGTH",
			"minLength": 1,
			"maxLength": 500
		}
	],
	"maxItems": 1
}

Mike

Benji_Dynatrace · ‎09 Apr 2024

That's exactly it, thank you so much!

pvr · ‎23 Dec 2024

Hi @Mike_L , @Benji_Dynatrace ,

The above answers is oriented towards extensions developers, not users. What if I want to use an extension published on the extensions hub, with Vault based secrets in the configuration ? it seems there is not type-ahead or suggest feature when I click on the text box ? e.g. F5 Big IP extn 2.0

So, I say the original question still remains, is it possible to use a specific format of intput to suggest that we are using a vault secret (similar to synthetics {} syntax) and not a plain text ?

Please help ?

Mike_L · ‎24 Dec 2024

It is only possible if the extension developer has added the above code, in which case you get a dropdown with your credential vault items.

Mike

r_weber · ‎19 Jul 2025

Came accross this, becasue I just wanted to build vault support into one extension as well.

From a UI configuration side this is all fine, but how would I get the actual value of the CV item in e.g. the python code of my extension?

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

TorstenHellwig · ‎13 Aug 2025

Well, that's half of it I'd say. There is no documented way to access the content of a credential vault entry. The REST api just delivers meta data and I could not find an extension function to do this. So what am I missing here?

Dynatrace Master, Appmon Master

Julius_Loman · ‎13 Aug 2025

@TorstenHellwig, afaik, Dynatrace automatically populates the values (in the example above for username and password), you will also get the credential vault entry id). So you don't need to call anything, you just have the values directly in activation_config as for any other configuration properties.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

r_weber · ‎13 Aug 2025

That's what I would have expected, but it doesn't seem to be the case ...

In the above example 'password' and 'username' would only be filled if 'useCredentialVault' is false.
Otherwise 'credentialVaultId' just contains the vault ID, but no additional fields for 'username' or 'password'.

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

Julius_Loman · ‎13 Aug 2025

@r_weber works for me. A very dirty minimal example attached.

If executed and configured with a credential vault, I get the values from the vault. Actual snippet from extension log on a oneagent.

[b9fbad40-5573-32cf-8a7e-26873b3d0e38][python-b9fbad40-5573-32cf-8a7e-26873b3d0e38][3344887][out]2025-08-13 16:41:29,029 [INFO] credential_vault (ThreadPoolExecutor-0_0): query method started for credential_vault.
[b9fbad40-5573-32cf-8a7e-26873b3d0e38][python-b9fbad40-5573-32cf-8a7e-26873b3d0e38][3344887][err]2025-08-13 16:41:29,029 [ERROR] credential_vault (ThreadPoolExecutor-0_0): ActivationConfig(version='0.0.2', enabled=True, description='test', type=ActivationType.LOCAL, config={'endpoints': [{'useCredentialVault': True, 'credentialVaultId': 'CREDENTIALS_VAULT-8E8E7AC5C1C97734', 'username': 'api-dyntrace-user', 'password': 'DynaPassword'}]})
[b9fbad40-5573-32cf-8a7e-26873b3d0e38][python-b9fbad40-5573-32cf-8a7e-26873b3d0e38][3344887][out]2025-08-13 16:41:29,029 [INFO] credential_vault (ThreadPoolExecutor-0_0): query method ended for credential_vault.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

calfanonerey · ‎14 Aug 2025

thanks for providing this! is there any documentation out there that you referenced to accomplish this?

r_weber · ‎14 Aug 2025

Thanks @Julius_Loman , that is interesting indeed. Exactly what I'd have expected. Wondering why it didn't work in my example and where I went wrong. However I used a more complex example with custom schemas, but in principle it was the same config.

So in one case (not using credential vault) the config['username'] is filled and in the other case (using credential vault) the config['credentialvaultid']['username'] is populated.

Maybe I was looking at a way to always populate config['username'] so that there is no special handling in code required.

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

Julius_Loman · ‎14 Aug 2025

@r_weber no, it's in the same properites, so no special code is needed.
Without vault:
[{'useCredentialVault': False, 'username': 'user', 'password': 'password'}]

With vault:
[{'useCredentialVault': True, 'credentialVaultId': 'CREDENTIALS_VAULT-8E8E7AC5C1C97734', 'username': 'api-dyntrace-user', 'password': 'Ap;DynTR4ceUs3r'}]

activationSchema is still a magic without (public) documentation. The best way to get with it is to find an extension which uses the feature you want, download it and look in the source how to do it.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

shahin24093 · ‎27 Aug 2025

@Julius_Loman thank you for your insight and sharing of this information, the zip file you shared helped me massively. And I was able to successfully pass credential vault id and capture username and password.
would you happen to know how to download an extension where there is a feature I want to take from for my Development? I currently am using VS code and extensions are visible in our environment but I am unable to download/view the source code. My api key has all the extensions 2.0 scopes available.

Julius_Loman · ‎27 Aug 2025

@shahin24093

If the extension is already in your environment, you can download it directly to your VS Code workspace when initializing the workspace:

Another option is to grab it directly from the hub page:

Find the extension you want, Open release notes (1), release (2), and click on download (3). You will download the extension package, which contains the extension, schema, and all python packages.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

Send a credential from credential vault to extension configuration